Ethical hackers are claiming a $10,000 prize for successfully breaking into the webmail account of the chief exec of StrongWebmail after the firm issued a "hack us if you can" challenge.
StrongWebMail runs a callback verification system so that, in theory, even if someone obtains a user's login details they can't read email from …

COMMENTS

Rules?!?

If this doesn't typify "FAIL" then I don't know what does...

"StrongWebMail ... are holding off in paying out the prize because they are yet to be convinced the Ruff and co stuck to competition rules, which prohibit the use of social engineering trickery (such as tricking or paying an insider to hand-over account access)."

To horrifically misappropriate a classic quote: Rulez?!? We don't need no steenking RULEZ!

Of course it's not a valid test!

Stupid

"Hacking competitions such as the one established by StrongWebMail might make for good publicity but they don't prove much."

It's the reverse - they're guaranteed to result in either neutral or negative PR - no good can come out of it. Either the account isn't hacked (which as stated, proves sod all) or the account is hacked and the company gets egg all over it's face.

It'll be the same with that credit monitoring company who's CEO blasts out his social security number in a TV advert. Sooner or later, someone's gonna get around their protections and the company is just going to look silly.

Appropriate test conditions.

Would you test a new bullet proof vest by letting people shoot the test dummy in the head? No?

Why's that?

You only test the vulnerability of the technical parts of the system you've control over. DUH!

Supposing you've been sitting in the office writing your own little stored procedure, app, function or whatever, and I'm supposed to write a unit test plan for it... is it robust code? You're pretty confident it is, but then I appear with a bucket of water and dump it over your pc. Oops. Your code didn't allow for that! Back to the drawing board. You waterproof your pc, it passes test one. Test two arrives; the proverbial man in a duck costume wielding a big mallet.

If they were testing the vulnerability of the users to manipulation, it would be a different test. Bog standard hackers don't generally kidnap an SA and pull out his fingernails until he gives up root access, and that there's no 100% guarentee of anything is a given,

However it is a far better approach than employing hackers-gone-straight full time; tapping into a larger pool of resources and not paying anything for failed attempts.

While it doesn't prove anything it does suggests that the sum of money being offered isn't sufficient compensation for the effort required. In the same way as if a safe manufacturer offered a unclaimed 100k prize for cracking their safe, I'd feel confident leaving a lesser sum in it. Conversely, even if it was cracked, and they were forced back to the drawing board, I'd appreciate both their honesty and their pro-active goals of improvement.

It's patently nonsense to say that nothing can be learned, or that there's no value to it. At the very least you've increased their brand awareness.

Not an issue

"James, Raff and Bailey demonstrated their attack on a test account set up with StrongWebMail by IDG. But the compromise was possible only after the NoScript extension on the Firefox browser of the XP machine used in the test was disabled, IDG reports."

You make this sound like a weakness. It is not.

The attackers were likely taking the HTML / Active Pages to the local system, modifying them, then sending them back out with the XSS applied.

They knew that they were performing the XSS and were doing it on purpose on their own systems.

Disabling NoScript so that your own malicious activity that you know you are doing is just common sense. Just like you'd turn off your anti-virus if you were intentionally downloading malware.

The current result doesn't matter

"Even if no one wins a particular challenge it doesn't follow that a system is unhackable - just that it wasn't broken this time around."

Exactly. Locks, whether physical or virtual, are merely entry delay mechanisms. The best ones delay entry to such an extent as to make the access irrelevant or such that a potential cracker is deterred from trying.